I know the conventional wisdom is, never store API keys in the frontend — instead always store this on the server-side. My programming / web development up to this point has all been pretty simple stuff, to the degree that I’ve never really needed to use secret API keys or info like this that needs to be hidden. Everything has basically just been HTML / CSS / JS.
My initial thinking was — “ok, store it on the backend means, like when i have a database and there’s that code that runs when you send a request to the database, i can store the API keys inside of there, since that’s like a hidden black box that people can’t access.”
Now it appears another option is, I can have other filetypes on my Hostgator website, where those filetypes will remain hidden/secured, to where nobody can access the actual interiors of the files. So in my websites public_html HTML/CSS/JS frontend files, I could send Javascript requests to those PHP files, and use the outputs as needed — but nobody could access and actually see the contents of those PHP files.
Is my understanding of how this all works correct?
6
It’s arguably better for configurability to store variables such as keys in a separate file and load them at runtime – that way you can deploy your code in different environments, and with different key values etc, without needing two different copies of the code base.
It also keeps such keys out of your source control repository, meaning there’s one less place for them to leak from.
But yes if you’ve hard coded the API key as a variable into a PHP script it won’t ever be shown to an end user, because php code never is – unless your server is seriously misconfigured of course.
3